secconfig, secsetup - Security features setup graphical
interface (Enhanced Security)
/usr/sbin/sysman secconfig
Note
The secsetup utility has been replaced by the secconfig
graphical interface.
The secconfig utility is a graphical interface used to
select the level of system security needed. It can convert
from Base to enhanced security mode, and configure base
and enhanced security features. If you are using secconfig
to enable Enhanced security, you must first have loaded
the enhanced security subsets.
You can run secconfig while the system is in multiuser
mode. However, if you change the security level, the
change is not completed until you reboot the system.
For both base and enhanced security, the secconfig utility
allows you to enable segment sharing, to enable access
control lists (ACLs), and to restrict the setting of the
execute bit to root only.
For enhanced security, the secconfig utility additionally
allows you to configure security support from simple
shadow passwords all the way to a strict C2 level of security.
Shadow password support is an easy method for system
administrators, who do not wish to use all of the extended
security features, to move each user's password out of
/etc/passwd and into the extended user profile database
(auth.db. You can use the Custom mode if you wish to
select additional security features, such as breakin
detection and evasion, automatic database trimming, and
password controls.
When converting from base to enhanced security, secconfig
updates the system default database (/etc/auth/system/default)
and uses the convuser utility to migrate user
accounts.
While it is possible to convert user accounts from
enhanced back to base, the default encryption algorithms
and supported password lengths differ between base and
enhanced security, and thus user account conversions do
not succeed without a password change.
Note
Because of the page table sharing mechanism used for
shared libraries, the normal file system permissions are
not adequate to protect against unauthorized reading. The
secconfig interface allows you to disable segment sharing.
The change in segment sharing takes effect at the next
reboot.
/etc/auth/system/default
/etc/passwd
/tcb/files/auth.db
acl(4), authcap(4), default(4), convuser(8)
Security
secconfig(8)
[ Back ] |